Last year, the Age Appropriate Design Code (“the Code”) came into force. It included a 12-month transition period to allow for organisations to conform, which expired on 1 September 2021. The Code sets out requirements to protect children’s data online and is unique in its scope.
What’s the purpose of the Code?
The Code states that it “addresses how to design data protection safeguards into online services to ensure they are appropriate for use by, and meet the development needs of, children”. It comes out of an acknowledgement that digital services are not inherently designed for children, and when children use them, data is being collected about them. It puts the welfare of children at the forefront.
What is the Code?
The Code considers the standards and principles set out in the United Nations Convention on the Rights of the Child. It sets out 15 flexible and interconnected standards of age-appropriate design that reflect a risk-based approach. The aim is that, by default, only a minimal amount of data is collected when children are accessing online services. The standards are wide-ranging and include, for example, ensuring that the best interests of the child should be the primary consideration (Standard 1), not using data in a way that is detrimental to the child (Standard 5), and data minimisation (Standard 8).
What does the Code apply to?
It applies to “information society services likely to be accessed by children”. This is wide-ranging and will include apps, devices, social media, gaming, and streaming services. This is by no means exhaustive. It is important to note that it is not limited to services that are targeted at children, it is all about access, i.e. if children are accessing the service, the Code applies.
What do you need to do?
Organisations are required to undertake significant assessment to ensure compliance with the 15 standards set out in the code. This includes assessments on the services being provided, the user base and ensuring that the 15 standards are integrated into product and service design during the development process. The assessments are likely to be in the form of Data Protection Impact Assessments that focus on implementing privacy principles by default and by design.
For most organisations, this will also result in a review of policies, frameworks and procedures on the processing and collection of data belonging to children. The emphasis is on the requirement that only age-specific content is delivered to the intended audience, i.e. children. The Code sets a threshold of 18 years and organisations are required to assess whether anyone under that age will have the capacity to understand the content they are viewing, interact and express themselves without compromising their welfare.
What is the status of the Code and what if there is non-compliance?
The Code has been prepared under the Data Protection Act 2018. Whilst it is not law per se, if a business to which the Code applies cannot demonstrate that they are complying with it, it will be hard for them to say that they are compliant with the law. The ICO can commence regulatory action against a business, and they will take the code into account when investigating (this comes from powers conferred by s127 of the Data Protection Act 2018).
The penalties can vary, depending on the ICO’s view, from assessment notices, warnings, reprimands, enforcement notices, and penalty notices. Where there are serious breaches fines of up to £17.5m or 4% of annual turner, whichever is higher, can be issued.
If your organisation requires assistance ensuring compliance with the Age Appropriate Design Code I’m here to help. I am always happy to discuss your concerns and advise on appropriate action.